The data controller, i.e. the body that defines the purposes and means of the processing specified in this privacy policy is Delivery Hero Innovations Hub GmbH, but usually we just use the name foodpanda. You can always contact us via the following methods: Oranienburger Straße 70, 10117 Berlin, Germany (hereinafter referred to as “foodpanda” “we”, “our”, “controller”). We also use the terms “rider” for your salutation.
Please note that you might have been hired as a rider by a third-party logistics company which is not part of our group of companies. In this case, this company generally processes your personal data as a separate data controller, acting as a joint controller with our company only with respect to the IT applications we provide. You are free to assert your legal rights in this context either against us or against the third party whom you have contracted with and acting as a joint controller. However, the legal joint controller relationship relates only to the processing of personal data on our online platforms. We have no influence on, and are not responsible for, the processing of personal data by such party in other contexts.
Below you can see which of your data we need for which purposes and under which circumstances we share your data with others.
Personal data is information from which we can directly or indirectly identify you as a person, such as location data. Please be aware, however, that anonymized data will not qualify as personal data.
In order to provide our delivery service to our customers, we use various tools and systems that are absolutely necessary for the delivery of orders. We also use external and internal tools and systems to process your personal data for personnel management and business operations.
Generally, we collect, process and store the following categories of personal data within the scope of making available our tools and systems:
Performance Data |
shift times, order details |
Geolocation data |
GPS data |
Technical data |
device data |
We only collect your personal data if this is necessary to achieve the performance of the contract with you, the intended purpose is legal and the processing is proportionate. Below we would like to give you more information about our processing activities, their purposes and the applicable legal basis under the applicable EU General Data Protection Regulation (GDPR):
Processing Activity |
Why do we process data for this purpose? |
||
Rider accounts |
Creation of required accounts for the applications used
Categories of personal data:
Legal basis:
|
||
Working time recording |
Recording of work performed by the rider
Categories of personal data:
Legal basis:
|
||
Presence/shift monitoring |
Assessment of the reliability of riders
Categories of personal data:
Legal basis:
|
||
Customer communication |
Communication with customers about the status of the order or delivery
Categories of personal data:
Legal basis:
|
||
Communication |
Different tools are used for communication between all riders. The purpose of the processing is the communication of necessary information/ troubleshooting in case support is needed.
Categories of personal data:
Legal basis:
|
||
Delivery |
To ensure a prompt delivery of the products ordered by our customers, the coordination data of riders is collected, and the order is assigned to the rider who will be able to deliver the order with best possible timing.
Categories of personal data:
Legal basis:
|
||
Delivery Estimation |
In order to be able to inform customers of the expected delivery time, average speed data per vehicle type is processed in an anonymous form.
Categories of personal data:
Legal basis:
|
||
Shift planning and time recording |
The purpose of the processing is to monitor the hours worked. Additionally, work records will be generated based on performed hours.
Categories of personal data:
Legal basis:
|
||
Performance evaluation |
Evaluation of rider performance includes reliability before, during and after the shift. This also includes, but is not limited to, the punctual start of the shift, proper login and acceptance of orders during the shift until the end of the shift as well as the proper execution of the order.
Categories of personal data:
Legal basis:
|
||
When processing your personal data we observe the principle of storage limitation. That means personal data is stored in a form that permits the identification of the data subjects only for as long as is strictly necessary for the purposes for which the data is for which they are collected. The storage periods are based on the applicable statutory provisions. After expiry of the retention periods, we delete your personal data. With regard to GPS data, a storage period of six months has been defined, whereby the GPS data is anonymized after one month of its collection and can no longer be assigned to a specific employee. This storage period is necessary for evaluation purposes (calculation of delivery times in anonymous form), billing and as evidence in cases of incidents relevant under criminal law. After expiration of the storage period, we delete or anonymize the personal data of the employees in a manner that complies with the requirements of the GDPR.
We never share your data with unauthorized third parties, nor do we sell your data. However, as part of our work we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data. Before we forward personal data to these data processors for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and prove their data protection level with appropriate proofs.
In the following we would like to inform you in a transparent and understandable way about all our data recipients with the respective transfer purposes:
Data recipient |
Reason for sharing |
||
External service providers |
They support our business activities by providing us with IT solutions and infrastructure or by ensuring the security of our business operations, for example by identifying and rectifying faults. Furthermore, personal data may also be disclosed to external tax consultants, lawyers or auditors if they provide services for which they have been commissioned. | ||
Members of the Delivery Hero SE Group |
Within a group of companies it is sometimes necessary to use resources effectively. In this context, we support each other within our group in optimizing our processes. In addition, we provide joint content and services. This includes, for example, the technical support of systems or database hosting for our rider applications.In legal terms, taking decisions on the purposes and means of processing is called “joint controllership” of data.
Your employer is fully responsible for fulfilling the data protection requirements together with Delivery Hero SE. Within the framework of joint regulations, both the employer and Delivery Hero SE have agreed that both will guarantee your rights equally. You can therefore address any requests both to us who have engaged you as a rider, and to Delivery Hero SE, Oranienburger Straße 70, 10117 Berlin. You can reach the data protection officer of Delivery Hero SE at [email protected]. |
||
Prosecuting authorities and legal proceedings |
Unfortunately, it can happen that a few of the riders or service providers do not behave fairly and want to harm us. In these cases we are not only obliged to hand over personal data due to legal obligations, it is of course also in our interest to prevent damage and to enforce our claims and to reject unjustified claims. | ||
We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, it might be required to transfer your personal data to a country outside the territory of the EU or EEA (these countries are called “third countries” in the GDPR).
This is, for example, the case with our database providers (Google and Amazon Web Services). While these parties have their seat of business in the EU, they are subsidiaries of organizations headquartered in the United States (US). Consequently, to provide their cloud services it might be required for certain personal data to be accessible from the US.
The GDPR has high requirements for the transfer of personal data to third countries. All our data receivers have to measure up to these requirements. Before we transfer your data to a service provider in third countries, every service provider is first assessed with regard to its data protection level. Only if they can demonstrate an adequate level of data protection will they be shortlisted for service providers.
Regardless of whether our service providers are located within the EU/EEA or in third countries, each service provider must sign a data processing agreement with us. Service providers outside the EU/EEA must meet additional requirements. Unless there is a legally binding decision confirming that a third country provides an adequate level of data protection, all transfers to third countries will be subject to appropriate safeguards such as binding corporate rules or approved standard contractual clauses. Where necessary, we have implemented supplementary security measures under the standard contractual clauses certified by the EU Commission to provide an adequate level of data protection for any transfers outside the EU. You can obtain a copy of the standard contractual clauses by contacting us.
We also process your personal data in the context of algorithms in order to simplify our processes. Of course, you have the right not to be subject to decisions based solely on automated processing. However, we do not conduct any fully automated decision-making with a final binding effect on you as a rider but will always keep the door open for human review by one of our employees. For example, if you disagree with the decisions made by our rider applications we do grant you the opportunity to have these reviewed and, if necessary, changed by a human being.
If you believe that we have made an automated decision in an unjustified way, you can always contact us. In this case, we will examine the case separately and decide on a case-by-case basis.
In addition, you have the following rights:
Right to access |
You have the right to be informed which data we store about you and how we process this data. This also includes receiving a copy of your data. |
Right to rectification |
If you notice that processed data is incorrect, you can always ask us to correct it. |
Right to erasure |
You can ask us at any time to delete the data we have stored about you. |
Right to restriction of processing |
If you do not wish to delete your data, but do not want us to process it further, you can ask us to restrict the processing of your personal data. In this case, we will archive your data and only reintegrate it into our operative systems if you so wish. However, during this time you will not be able to use our services, otherwise we will process your data again. We will also restrict the processing of your data if you have requested us to delete it but we are not able to comply with your request due to the applicability of statutory retention periods. |
Right to data portability |
You can ask us to transmit the data stored about you in a machine-readable format to you or to another responsible person. In this context, we will make the data available to you in JSON or another customary format. |
Right to withdraw consent and to object to the processing of your data |
You can revoke your consent at any time or object to the further processing of your data. This also includes objecting to our processing, which we process without your consent but based on our legitimate interest. This applies, for example, to direct marketing. You can object to receiving further newsletters at any time.
You also have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is processed on the basis of Art. 6 (1) f) GDPR (data processing on the basis of a balance of interests); this also applies to any profiling for the purposes of Art. 4 (4) GDPR based on this provision. If you object, we will no longer process your personal data in the future unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms. |
Right of complaint |
If you believe that we have done something wrong with your personal data or your rights, you can complain to the appropriate supervisory authority at any time. You can raise a complaint about our processing of your personal data with the data protection authority in the EU Member State of your habitual residence, place of work or place of where you think a violation of the GDPR has occurred. In the case of cross-border data processing, you can also lodge a complaint with our lead supervisory authority in Berlin, Germany. |